2014-09-25

Signs that the terrorism threat might be overblown

Or maybe just a sign that the US education system is a pool of sharks...

Modern terrorism getting you down? Don't worry, it's an opportunity for you! Sign up for a certificate in Terrorism Studies!

In the program, you will develop an understanding of terrorism and counter-terrorism. The online program is suitable for students interested in pursuing a career in homeland security at local, state, or federal levels; joining national and international counter-terrorism agencies; conducting research on terrorism in academia; or seeking opportunities in relevant industries.
Presumably it's also suitable for students interested in pursuing a career in terrorism? Or maybe this is an elaborate honey trap by the FBI, but I suspect that a) they don't have the motivation and b) they can't afford to fund the course.

2014-09-19

Don't ask for your emails to be deleted

Darrell Issa, Republican congressman from California (yes, amazingly they exist) releases the oversight report on the initial rollout of Healthcare.gov and it wasn't pretty. The bulk of the report was based off emails that they managed to retrieve from Health + Human Services and their CMS subsidiary, and the report authors did a nice job of excerpting the damning snippets from the emails that confirmed everyone's suspicions about the rollout: the grunts implementing and testing the site knew darned well that it wasn't ready, but they were overridden.

I don't find any particular reason in the report to believe that the President knew the site wasn't ready; it looks very much like he and his advisors were assured that everything was in hand, and he had no particular reason to disbelieve it. The problems occurred lower down in the hierarchy:

Mr. Sivak showed Mr. Baitman emails that were made public by Congress in the wake of Healthcare.gov's disastrous launch. In these emails, dated September 27, 2013 [launch date was Oct 1st], a CMS official working on the FFM development, wrote "the facts are that we have not successfully handled more than 500 concurrent users filling out applications in an environment that is similarly in size to Day 1 production." In response, Mr. Baitman wrote "Frankly, it’s worse than I imagined!" Mr. Sivak replied, "Anyone who has any software experience at all would read that and immediately ask what the fuck you were thinking by launching."
Indeed, we were asking almost exactly that question. And there was no naivety about motivations:
How did one week Henry Chao tell us there was no way Account Transfer would be ready, then a meeting at the White House and a week later, oh, yeah, everything is back on track, we’ll meet the dates? That’s what I mean by WTF. You could definitely see the CYA moves coming a mile away
Doublethink is clearly very important for project managers. Henry Chao was one of the prime Healthcare.gov project managers and it appears he knew that the site was heading to disaster, but for some reason he couldn't or wouldn't articulate this to the administration.

Issa, of course, has plenty of partisan reasons to bash the administration and the Healthcare.gov backers, but it's hard to conclude anything other than that this launch was destined to crash and burn spectacularly, that this was known well in advance, and that it was egregiously mis-managed. That Mikey Dickerson and his crew managed to retrieve some semblance of success from this state was amazing, but not something that should be relied on by any future project manager.

Once again, the maxim "Do not write anything in an email that you do not want to see on the front page of a major newspaper" is confirmed. The usual wisdom around this is a combination of a) mail is transferred in the clear between servers on the public internet, although this is changing, and b) the risk of including the wrong person on your To: or Cc: lines. This report highlights a third option: the risk that your email will be retrieved during a legal discovery process. If you send your email from a company email system it'll be archived there and prone to later legal discovery even if you and the recipient delete it. This also applies if any of your recipients use a company or government email address.

The Verge provides a nice summary of the highlights in the report if you don't have the stomach to read the whole thing.

2014-09-08

Take the upside and you own the downside

I was annoyed by this inane Reuters article on the fate of the UK's gold stash:

An independent Scotland could lay claim to a part of the United Kingdom's 310-tonne gold reserves if votes go in favour of the "Yes" campaign this month, with ownership of Britain's bullion hoard up for negotiation along with other assets.
If I were Scotland, I'd run as far as possible from the £7.8bn pile of gold bricks. The reason I'd do this is because if I take on a fraction of the assets of the UK, I have no argument against also taking on its liabilities:
As of Q1 2013 UK government debt amounted to £1,377 billion, or 88.1% of total GDP, at which time the annual cost of servicing the public debt amounted to around £43bn, or roughly 3% of GDP.
Why would you take (say) 10% of £7.8bn when you'd also have to assume 10% of a £1400bn liability? You'd have to be stark staring bonkers. Alex Salmond isn't a rocket scientist, but even he would realise how dumb this would be.

2014-09-06

New clamping down on information in China

Spotted this on a net security research blog yesterday: someone is trying to snoop on the web traffic of Chinese students and researchers:

All evidence indicates that a MITM [man-in-the-middle] attack is being conducted against traffic between China’s nationwide education and research network CERNET and www.google.com. It looks as if the MITM is carried out on a network belonging to AS23911, which is the outer part of CERNET that peers with all external networks. This network is located in China, so we can conclude that the MITM was being done within the country.
To decipher this, readers should note that CERNET is the Chinese network for education and research - universities and the like. The regular Great Firewall of China blocking is fairly crude and makes it practically difficult for researchers to get access to the information they need, so CERNET users have mostly free access to the Internet at large - I'm sure their universities block access to dodgy sites, but to be fair so do Western universities. What's happening is that someone is intercepting - not just snooping on - their requests to go to www.google.com and is trying to pretend to be Google.

The reason the intercept is failing is because Google - like Facebook, Yahoo, Twitter and other sites - redirects plain HTTP requests to its homepage to a HTTPS address, so most people bookmark those sites with an HTTPS address. Therefore the users were requesting https://www.google.com/ and the attackers had to fake Google's SSL certificate. Because of of the way SSL is designed, this is quite hard; they couldn't get a reputable Certificate Authority to sign their certificate saying "sure, this is Google" so they signed it themselves, much like a schoolchild signing a note purportedly from their parent but with their own name. Modern browsers (Chrome, Firefox, modern versions of IE) warn you when this is happening, which is how the users noticed. The Netresec team's analysis showed that the timings of the steps of the connection indicated strongly that the interceptor was somewhere within China.

The attack doesn't seem to be very sophisticated, but it does require reasonable resources and access to networking systems - you've got to reprogram routers in the path of the traffic to redirect the traffic going to Google to come to your own server instead, so you either need to own the routers to start with or compromise the routers of an organisation like a university. Generally, the further you get from the user you're intercepting, the greater your resources need to be. It would be interesting to know what fraction of traffic is being intercepted - the more users you're intercepting, the more computing resource you need to perform the attack because you've got to intercept the connection, log it, and then connect to Google/Twitter/Yahoo yourself to get the results the user is asking for.

The attempted intercepts were originally reported on the Greatfire.org blog which observes that there were several reports from around CERNET of this happening. Was this a trial run? If so it has rather blown up in the faces of the attackers; now the word will circulate about the eavesdropping and CERNET users will be more cautious when faced with odd connection errors.

If the attackers want to press on, I'd expect the next step to be more sophisticated. One approach would be SSL stripping where the interceptor tries to downgrade the connection - the user requests https://www.twitter.com/ but the attacker rewrites that request to be http://www.twitter.com/. The user's browser sees a response for http instead of https and continues with an unencrypted connection. Luckily, with Twitter this will not work well. If you run "curl -I https://www.twitter.com/" from a command line, you'll see this:

HTTP/1.1 301 Moved Permanently
content-length: 0
date: Sat, 06 Sep 2014 17:23:21 UTC
location: https://twitter.com/
server: tsa_a
set-cookie: guest_id=XXXXXXXXXXXXXXXXX; Domain=.twitter.com; Path=/; Expires=Mon, 05-Sep-2016 17:23:21 UTC
strict-transport-security: max-age=631138519
x-connection-hash: aaaaaaaaaaaaaaaa
That "strict-transport-security" line tells the browser that future connections to this site for the next N seconds must use HTTPS, and the browser should not continue the connection if the site tries to use HTTP. This is HTTP Strict Transport Security (HSTS) and Twitter is one of the first big sites I've seen using it - Google and Facebook haven't adopted it yet, at least for their main sites.

Alternatively the interceptor may try to compromise a reputable certificate authority so it can forge SSL certificates that browsers will actually accept. This would be a really big investment, almost certainly requiring nation-state-level resources, and would probably not be done just to snoop on researchers - if you can do this, it's very valuable for all sorts of access. It also won't work for the major sites as browsers like Chrome and Firefox use certificate pinning - they know what the current version of those sites' SSL certs look like, and will complain loudly if they see something different.

The most effective approach, for what it's worth, is to put logging software on all the computers connected to CERNET, but that's probably logistically infeasible - it only works for targeting a small number of users.

So someone with significant resources in China is trying to find out what their researchers are searching for. Is the government getting nervous about what information is flowing into China via this route?

2014-09-03

Surrender monkeys don't eat balut

A fascinating shit-storm is brewing between the Philippine Army and the UN Disengagement Observer Force as a result of recent events in the Golan Heights:

The Philippine military said Monday that a U.N. peacekeeping commander in the Golan Heights should be investigated for allegedly asking Filipino troops to surrender to Syrian rebels who had attacked and surrounded their camp.
[...]
When the besieged Filipino troops sought his [Gen. Catapang's] advice after they were ordered to lay down their arms as part of an arrangement with the rebels to secure the Fijians' release, Catapang said he asked them to defy the order.
It seems that in order to facilitate negotiations for the release of 45 Fijian soldiers captured by the (al-Qaeda affiliated) Nusra Front rebels - such capture perhaps due to less-than-stellar planning by UNDOF - the UNDOF commander decided that yielding to the rebels' demands for the Filipino troops to give up their weapons would be just dandy. After all, what could possibly go wrong?

Gen. Catapang is Chief of Staff of the Philippine Armed Forces, so can't really rise any higher in the command structure, and isn't well-known enough to run for high government office, so he's got no real motive to puff up his role in this dispute. I'm inclined to believe the main thrust of his account. Since the army has been in near-continuous counter-insurgency campaigns, with the communist NPA in the central Philippines and the Islamic groups in the south and south west, they've accumulated quite a lot of experience with fanatic groups and have presumably absorbed the lesson that doing what your opponent tells you to seldom works out well.

It'll be interesting to see if the resolution of the dispute is made public:

Catapang said an investigation would allow the UNDOF commander to explain his side and the Philippine military to explain why it advised the Filipino peacekeepers to defy his order.
I doubt the second part will take very long. I'd start with "Because it was bloody stupid" and work up from there. Catapang, as a 4-star general, comfortably out-ranks UNDOF's 2-star leader and so there's no insubordination problem I can see. The first part would be educational though: just what did the UNDOF commander think would happen if the Filipino troops had laid down their arms as ordered? And what involvement did the UNDOF commander have in the Fijians being captured in the first place? The Philippine Army is withdrawing from the UNDOF mission in the Golan, presumably because they have no appetite for being put in the same position again when UNDOF decides that covering its backside is more important than the safety of the troops in its command.

It seems that si vis pacem, para bellum is still true: if you want to keep the peace, you have to be prepared to kick the ass.

Update: Richard Fernandez at the Belmont Club is well worth reading on this topic:

In the past the UN apparatchiks have relied on the faithfulness of their subordinate commanders to take a bullet for the team. "Theirs not to reason why, theirs but to do and die." But Tennyson had never been to the Philippines where the word for blindly following orders is tanga – or sap.